I have single-line log entries that come into splunk looking like this:
Apr 1 12:34:09 10.1.9.254 %ASA-4-722051: Group
Each entry represents a single login.
I would like to have a count of all log entries with individual names that follow in the <> after the "User" phrase. User is not a field defined so it has to be done with a rex or something at search time.
The last thing I've tried is:
| rex field=_raw "User\s(?
but all I get with this is a listing of the individual log entries.
Search something like
Group user ip assignment to session | stats count as "login number"
That's it.
If instead you want to really use "Rex" you can do something like
....| rex "User\s<(?
And forget _raw.
Marco
I futzed around with the rex Marco sent and it worked. Just for historical purposes, the rex for this is:
rex "User\s<(?
Thanks again.
good job.
in that way you have the different login for each different user. My stats was counting all events where the field user had a value.
Marco
Thank you, but no, I had already tried stats count by user and that didn't work.
you are correct. But you only miss a small thing in count.
|stats count by user
Search something like
Group user ip assignment to session | stats count as "login number"
That's it.
If instead you want to really use "Rex" you can do something like
....| rex "User\s<(?
And forget _raw.
Marco
sorry folks for some confusion.. I was writing from my iPad and there was some extra capitalization due to autocorrect....
Marco